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STATE-24 

SYSTEM NAME: 

Medical Records. 

SYSTEM LOCATION: 

Department of State, Office of Medical 

Services, 2401 E Street NW, Washington, 

DC 20522, and health units at posts abroad. 

CATEGORIES OF INDIVIDUALS 

COVERED BY THE SYSTEM: 

U.S. Government employees, family 

members, and any other individuals eligible 

to participate in the health care program of 

the U.S. Department of State as authorized 

by either section 904 of the Foreign Service 

Act of 1980 (22 U.S.C. 4084) or other legal 

authority. 

CATEGORIES OF RECORDS IN THE 
SYSTEM: 

Includes name; social security number; date 
of birth; address to include email and phone 
number; reports of medical examinations 
and related documents; reports of treatments 
and other health services rendered to 
individuals; narrative summaries of hospital 
treatments; personal medical histories; 
reports of on-the-job injuries or illnesses; 
and reports on medical evacuation, and/or 
any other types of individually identifiable 
health information generated or used in the 
course of conducting "health care 
operations" as this term is defined at 45 
CFR 164.501. This system includes records 
that contain "protected health information" 
as this term is defined at 45 CFR 164.501, 
and, accordingly, does not include records 
maintained by the Department of State 
and/or other employers in their capacity as 
employers. This system also includes certain 
records maintained as part of the 
Department's Employee Assistance Program 
pursuant to 5 CFR Part 792. 



AUTHORITY FOR MAINTENANCE 
OF THE SYSTEM: 

22 U.S.C. 4084; 42 U.S.C. 290dd-l; Public 
Law 99-570 §§ 7361-7362; and 5 CFR Part 
792. 

PURPOSE: 

The information contained in these records 
is used to administer the Department of 
State's medical program. These records are 
utilized and reviewed by medical and 
administrative personnel of the Office of 
Medical Services (MED) in providing health 
care to the individuals eligible to participate 
in the health care program. 
ROUTINE USES OF RECORDS 
MAINTAINED IN THE SYSTEM, 
INCLUDING CATEGORIES OF USERS 
AND THE PURPOSES OF SUCH USES: 
Routine use of information from these 
files includes any use permitted by the 
Health Insurance Portability and 
Accountability Act (HIPAA) Privacy Rule 
at 45 CFR Part 164 for which no 
authorization or opportunity to agree or 
object is required by the subject of the 
information. Specifically, we may 
disclose the information: 
— To a "business associate" as that term is 
defined at 45 CFR 160.103; to another 
health care provider; or to a group health 
plan or health insurance issuer or health 
maintenance organization for purposes of 
carrying out treatment, payment or health 
care operations; 

— To a parent, guardian or other person 
acting in loco parentis with respect to the 
subject of the information; 
— To a health oversight agency or public 
health authority authorized by law to 
investigate or otherwise oversee the relevant 
conduct or conditions of the Department of 
State's medical program, or for such 
oversight activities as audits; civil, 
administrative, or criminal proceedings or 
actions; inspections; licensure or 
disciplinary actions; 



— To a public health authority (domestic or 
foreign) that is authorized by law to collect 
or receive protected health information for 
the purpose of preventing or controlling 
disease, injury, or disability, including, but 
not limited to, the reporting of disease, 
injury, vital events such as birth or death, 
and the conduct of public health 
surveillance, public health investigations, 
and public health interventions; 
— To the U.S. Department of Health and 
Human Services (HHS), when required by 
the Secretary of HHS in order to investigate 
or determine compliance with the HIPAA; 
— To a public health authority or other 
appropriate government authority (domestic 
or foreign) authorized by law to receive 
reports of child abuse or neglect; 
— To a person subject to the jurisdiction of 
the Food and Drug Administration (FDA) 
with respect to an FDA-regulated product or 
activity for which that person has 
responsibility, for the purpose of activities 
related to the quality, safety or effectiveness 
of such FDA-regulated product or activity; 
— To a person who may have been exposed 
to a communicable disease or may otherwise 
be at risk of contracting or spreading a 
disease or condition, to the extent MED is 
authorized by law to notify such person as 
necessary in the conduct of a public health 
intervention or investigation; 
— To a government authority (domestic or 
foreign), including a social service or 
protective services agency, authorized by 
law to receive reports of abuse, neglect or 
domestic violence, (1) To the extent such a 
disclosure is required by law; (2) where in 
the exercise of professional judgment, the 
disclosure is necessary to prevent serious 
harm to the individual or other potential 
victims; or (3) where, if the subject of the 
information is incapacitated, a law 
enforcement, or other public official 
authorized to receive the report, represents 
that the information sought is not intended 



to be used against the individual and that an 
immediate enforcement activity that depends 
upon the disclosure would be adversely 
affected by waiting until the individual is 
able to agree to the disclosure; 
— In the course of any judicial or 
administrative proceeding in response to an 
order of a court or administrative tribunal; 
— To a law enforcement official (1) As 
required by law or in compliance with a 
court order or court-ordered warrant, or a 
subpoena or summons issued by a judicial 
officer, or a grand jury subpoena, or an 
administrative request, including an 
administrative subpoena or summons; (2) in 
response to a request for the purposes of 
identifying or locating a suspect, fugitive, 
material witness or missing person; in 
response to a request for such information 
about an individual who is or is suspected to 
be a victim of a crime; (3) where it is 
believed that in good faith that such 
information constitutes evidence of criminal 
conduct; or (4) in response to an emergency, 
where it is believed such disclosure is 
necessary to alert law enforcement to the 
commission and nature of a crime, the 
location of such crime or of the victim(s) of 
such crime, and the identity, description and 
location of the perpetrator of such crime; 
— As necessary in order to prevent or lessen 
a serious and imminent threat to the health 
or safety of a person or the public, to a 
person or persons reasonably able to prevent 
or lessen the threat, including the target of 
the threat; 

— To authorized federal officials for the 
conduct of lawful intelligence, counter- 
intelligence, and other national security 
activities authorized by the National 
Security Act (50 U.S.C. 401, et seq.) and 
implementing authority {e.g., Executive 
Order 12333); 

— To authorized federal officials for the 
provision of protective services to the 
President or other persons authorized by 18 



U.S.C. 3056, or to foreign heads of state or 
other persons authorized by 22 U.S.C. 
2709(a)(3), or for the conduct of 
investigations authorized by 18 U.S.C. 871 
and 879. 

— To make medical suitability 
determinations and disclose whether or not 
an individual is determined to be medically 
suitable to the officials in the Department of 
State who need access to such information 
(1) For the purposes of a national security 
clearance conducted pursuant to Executive 
Orders 10450 and 12698; (2) as necessary to 
determine worldwide availability, suitability 
for particular assignments, suitability for 
mandatory service abroad under sections 
101(a)(4) and 504 of the Foreign Service 
Act; or (3) for a family to accompany a 
Foreign Service member abroad, consistent 
with section 101(b)(5) and 904 of the 
Foreign Service Act. 
— To a correctional institution or a law 
enforcement official having lawful custody 
of an individual, if the correctional 
institution or law enforcement official 
represents that such information is necessary 
for the provision of health care to such 
individual, the health and safety of other 
individuals or others at the correctional 
institution, or the administration and 
maintenance of the safety, security, and 
good order of the correctional institution; 
— To appropriate domestic or foreign 
government officials (including but not 
limited to the U.S. Department of Labor), as 
authorized by and to the extent necessary to 
comply with laws relating to workers' 
compensation or other similar programs, 
established by law, that provide benefits for 
work-related injuries or illnesses without 
regard to fault. 

POLICIES AND PRACTICES FOR 
STORING, RETRIEVING, 
ACCESSING, RETAINING, AND 
DISPOSING OF RECORDS IN THE 
SYSTEM: 



STORAGE: 

Records are stored in hard copy and 

computer media. 

RETRIEV ABILITY: 

By individual name and date of birth. 

SAFEGUARDS: 

All users are given information system 
security awareness training, including the 
procedures for handling Sensitive but 
Unclassified information and personally 
identifiable information. Annual refresher 
training is mandatory. Before being granted 
access to medical records, a user must first 
be granted access to the Department of State 
computer system. 

Remote access to the Department of State 
network from non-Department owned 
systems is only authorized through a 
Department approved access program. 
Remote access to the network is configured 
with the Office of Management and Budget 
Memorandum M-07-16 security 
requirements of two factor authentication 
and time out function. 
All Department of State employees and 
contractors with authorized access have 
undergone a thorough background security 
investigation. Access to the Department of 
State, its annexes and posts abroad is 
controlled by security guards and admission 
is limited to those individuals possessing a 
valid identification card or individuals under 
proper escort. All records containing 
medical information are maintained in 
secured file cabinets in restricted areas, 
access to which is limited to authorized 
personnel. Access to computerized files is 
password protected and under the direct 
supervision of the system manager. The 
system manager has the capability of 
printing audit trails of access from the 
computer media, thereby permitting regular 
and ad hoc monitoring of computer usage. 
When it is determined that a user no 
longer needs access, the user accounted 
is disabled. 



RETENTION AND DISPOSAL: 

Records are retired or destroyed in 
accordance with published schedules of the 
Department of State. More specific 
information may be obtained by writing the 
Director of Medical Records, Office of 
Medical Services, 2401 E Street NW, 
Washington, DC 20522. 
SYSTEM MANAGER(S) AND 
ADDRESS: 

Executive Officer, Office of Medical 
Services, Room 2270, Department of State, 
2401 E Street NW, Washington, DC 20522. 
NOTIFICATION PROCEDURE: 
Individuals who have cause to believe that 
the Office of Medical Services might have 
records pertaining to them should write to 
Medical Records, Office of Medical 
Services, Department of State, 2401 E Street 
NW, Washington, DC 20522. The individual 
must include his or her: name; date and 
place of birth; current mailing address and 
zip code; signature; the agency served by the 
medical program with which the individual 
was or is an employee or a dependent; and 
the approximate dates of such employment 
or dependency. 

RECORD ACCESS PROCEDURES: 

Individuals who wish to gain access to or 
amend records pertaining to them should 
write to the Director of Medical Records 
(see address above). 
CONTESTING RECORD 
PROCEDURES: 

(See Record Access Procedures above.) 
RECORD SOURCE CATEGORIES: 
Information contained in these records 
comes from the individual; hospitals; 
clinics; private physicians; employers; and 
medical professionals employed by the 
Department of State. 
SYSTEM EXEMPTED FROM 
CERTAIN PROVISIONS UNDER THE 
PRIVACY ACT: 
None. 



